registry  /  @inulute/cux  /  0.2.11

@inulute/cux@0.2.11

Run multiple Claude Code accounts as one

AI Security Review

scanned 3d ago · by lpm-firewall-ai

Install-time code fetches an opaque native executable from GitHub into the package directory. The CLI later launches that executable with inherited environment variables. No direct malicious behavior is established in the inspected JavaScript.

Static reason
One or more suspicious static signals were detected.
Trigger
`npm install` downloads the payload; invoking `cux` executes it.
Impact
A remote, source-unavailable executable can act with the installing user's permissions when `cux` is run.
Mechanism
postinstall remote-binary staging followed by CLI execution
Rationale
This is an opaque remote payload carrier with weak source-pinned integrity, but the inspected JavaScript contains no confirmed exfiltration, destructive action, or install-time execution of the downloaded binary.
Evidence
package.jsoninstall.jsbin/cux.jsbin/cuxbin/cux.sha256
Network endpoints3
github.com/${repo}/releases/download/v${version}cux.inulute.com/docssupport.inulute.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `node install.js` on `postinstall`.
  • `install.js` downloads a platform-specific executable during installation.
  • `CUX_RELEASE_REPO` can redirect downloads to another GitHub repository.
  • Checksum is fetched from the same remote source and is not pinned in package source.
  • `bin/cux.js` executes the downloaded binary with inherited environment.
Evidence against
  • No shell, eval, credential harvesting, or direct exfiltration exists in inspected JavaScript.
  • Postinstall only writes the package-local `bin/cux` executable and checksum.
  • The downloaded executable is not run during installation.
  • No AI-agent config or foreign control-surface write is present in inspected source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
CopyleftLicense
scanned 2 file(s), 8.23 KB of source, external domains: cux.inulute.com, github.com, support.inulute.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowCopyleft License